bug 982754 - allow some inadequate key usage overrides r=cviecco
authorDavid Keeler <dkeeler@mozilla.com>
Thu, 13 Mar 2014 16:49:12 -0700
changeset 173972 5854254a309dafd0e4fb3fb197d9e8c04072a9f1
parent 173971 c5dc2de8d2246c2a35efa9564b9919e63c8e5c6f
child 173973 c2bc849c4169c0d0704fe2756bd37c01d0c66b96
push id26438
push userphilringnalda@gmail.com
push dateTue, 18 Mar 2014 05:39:07 +0000
treeherderautoland@89275f0ae29f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscviecco
bugs982754
milestone31.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 982754 - allow some inadequate key usage overrides r=cviecco
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/tests/unit/test_cert_overrides.js
security/manager/ssl/tests/unit/tlsserver/cert8.db
security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
security/manager/ssl/tests/unit/tlsserver/default-ee.der
security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
security/manager/ssl/tests/unit/tlsserver/key3.db
security/manager/ssl/tests/unit/tlsserver/other-test-ca.der
security/manager/ssl/tests/unit/tlsserver/test-ca.der
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -298,16 +298,17 @@ MapCertErrorToProbeValue(PRErrorCode err
 {
   switch (errorCode)
   {
     case SEC_ERROR_UNKNOWN_ISSUER:                     return  2;
     case SEC_ERROR_CA_CERT_INVALID:                    return  3;
     case SEC_ERROR_UNTRUSTED_ISSUER:                   return  4;
     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:         return  5;
     case SEC_ERROR_UNTRUSTED_CERT:                     return  6;
+    case SEC_ERROR_INADEQUATE_KEY_USAGE:               return  7;
     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:  return  8;
     case SSL_ERROR_BAD_CERT_DOMAIN:                    return  9;
     case SEC_ERROR_EXPIRED_CERTIFICATE:                return 10;
   }
   NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
              "handle everything in PRErrorCodeToOverrideType?");
   return 0;
 }
@@ -561,16 +562,17 @@ PRErrorCodeToOverrideType(PRErrorCode er
 {
   switch (errorCode)
   {
     case SEC_ERROR_UNKNOWN_ISSUER:
     case SEC_ERROR_CA_CERT_INVALID:
     case SEC_ERROR_UNTRUSTED_ISSUER:
     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
     case SEC_ERROR_UNTRUSTED_CERT:
+    case SEC_ERROR_INADEQUATE_KEY_USAGE:
     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
       // We group all these errors as "cert not trusted"
       return nsICertOverrideService::ERROR_UNTRUSTED;
     case SSL_ERROR_BAD_CERT_DOMAIN:
       return nsICertOverrideService::ERROR_MISMATCH;
     case SEC_ERROR_EXPIRED_CERTIFICATE:
       return nsICertOverrideService::ERROR_TIME;
     default:
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -35,22 +35,22 @@ function add_cert_override_test(aHost, a
 }
 
 function check_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
                     .snapshot();
   do_check_eq(histogram.counts[ 0], 0);
-  do_check_eq(histogram.counts[ 2], 6 + 1); // SEC_ERROR_UNKNOWN_ISSUER
-  do_check_eq(histogram.counts[ 3], 0 + 1); // SEC_ERROR_CA_CERT_INVALID
+  do_check_eq(histogram.counts[ 2], 7 + 1); // SEC_ERROR_UNKNOWN_ISSUER
+  do_check_eq(histogram.counts[ 3], 0 + 2); // SEC_ERROR_CA_CERT_INVALID
   do_check_eq(histogram.counts[ 4], 0 + 4); // SEC_ERROR_UNTRUSTED_ISSUER
   do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
   do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT
-  do_check_eq(histogram.counts[ 7], 0);     // SEC_ERROR_INADEQUATE_KEY_USAGE
+  do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE
   do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
   do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN
   do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE
 
   run_next_test();
 }
 
 function run_test() {
@@ -109,27 +109,49 @@ function add_simple_tests(useInsanity) {
   add_cert_override_test("md5signature.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
                             SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
   add_cert_override_test("mismatch.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH,
                          getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
 
-  // Inadequate key usage is no longer overridable.
-  add_connection_test("inadequatekeyusage.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
-                      null,
-                      function (securityInfo) {
-                        // bug 754369 - no SSLStatus probably means this is
-                        // a non-overridable error, which is what we're testing
-                        // (although it would be best to test this directly).
-                        securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
-                        do_check_eq(securityInfo.SSLStatus, null);
-                      });
+  // A Microsoft IIS utility generates self-signed certificates with
+  // properties similar to the one this "host" will present (see
+  // tlsserver/generate_certs.sh).
+  // One of the errors classic verification collects is that this
+  // certificate has an inadequate key usage to sign a certificate
+  // (i.e. itself). As a result, to be able to override this,
+  // SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
+  // confusingly, this isn't the main error reported).
+  // insanity::pkix just says this certificate's issuer is unknown.
+  add_cert_override_test("selfsigned-inadequateEKU.example.com",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         getXPCOMStatusFromNSS(
+                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
+                                        : SEC_ERROR_CA_CERT_INVALID));
+
+  // SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
+  // classic verification, but not for insanity::pkix verification.
+  if (useInsanity) {
+    add_connection_test("inadequatekeyusage.example.com",
+                        getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
+                        null,
+                        function (securityInfo) {
+                          // bug 754369 - no SSLStatus probably means this is
+                          // a non-overridable error, which is what we're testing
+                          // (although it would be best to test this directly).
+                          securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
+                          do_check_eq(securityInfo.SSLStatus, null);
+                        });
+  } else {
+    add_cert_override_test("inadequatekeyusage.example.com",
+                           Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                           getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
+  }
 }
 
 function add_combo_tests(useInsanity) {
   // Note that "untrusted" here really is "unknown issuer" in the
   // insanity::pkix case.
 
   add_cert_override_test("mismatch-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
index ab5dffe785a67ba80741b7979178ec92ef5a96c3..573698c3682875024e9e1514798754e06e922c8f
GIT binary patch
literal 65536
zc%1E>c{o&W|HseF*t5%)ec!?v`x+_|rN~m0eQepXWUoxJl%*^oDupCTWeFukD3v8k
zo5)@%N+J=zVI<Wg`aR$0`}}dgy5`cD^SS4~=e*zdx#wKxyg?+4RuBXsA&BS^1gYcx
z3sFN50>VEavbp~t=YFDQf6l%%yD=icHK-fHgPeQ(*C9jv8}AAL000000000000000
z00000000000000000000000000000000000000000000000000z<&;PXiRNH?X6mq
zT8Y{_)gIL<)lAg~%6ZCrl`WOU6{!__6zUXe<nrVK<#x(Z$&5)ipsUfT=)GuNv>KWo
z{R&Q(NR)7v*d-w>F(zIp9wn|KCL#7kv{p1lbib&KFt6}?p$efGAy1*z0;~dk{MYz{
z_^tRUct?0{@<j3&@u=~<;<V;`#W@WC000000000000000000000000000000z>*+C
zKt$>@|B&(!1B^vV!&pRW8VZR(A`uKQ6$!a$sCMWW6#_v_48inhT9}#yWkiHxAT`8z
zdU3DQfH|3|&@!+TT3Sk43YL~JWu}r@_!O2zi^F308vc#0R<@Wu-d0{1Ze5HYw~?on
zJ%)R>Ax&3Xag3{%qn95Xe0t&AB8VYWa1;awM<9cPp_A<umc*mvP7>lJE=RcX{O(l9
zNa_{l4jOvixI~tC{z-Gu4fSGDjnm#AC4KtqWYP@%&uAzFt*1;WW-){4KPK*opR%F!
zW00uH_111!EA34?<|JsaA(}}3W2y)v88UG)fvHz+m(HW0%<g+{I_o!DG^pEHTIE95
z!ptvyYH?3Tq7V=wJrMSXMQ}snpd;dixv`v%^TXPW@$;S;lmy1t%EjFoBVps_0!xvQ
ziILzwKT-sOND$_SdA~h}5ur>DUS94>l9JADHdf9KZk}FB3a|n!2~*BA&wxNo6Cq&;
zUNQ5GhKOipxBRqEP`FQp{6lH$2Zpl=*k?ShDNbVH*W~FRe+j!Re<y37jc{@SAEWV+
zg2GH*0Z+xZ-j*>c{3<yGs!2|1+G=kr_;2p*SKO{|L33x*JthW80s9DcnQL#hXSN3v
zI~vrePoKP<V040P4fU2<l@@x6uZ*UNBcnQJ=@Y7nM_wg2cz*OtF6)PW9Y2KA4gs-{
zp=SO{0wV;u*vfi3+PhkLd3#{QF~07O9vE9_<^_5}WvCxSH2cfV>t(miH=v1cV1bCp
zkPw7kb`_Ffx4t_>5@N$SL=5MU_&JBr{p=7HG!wiM|CUr+yc{qd++N>(q5z}O3w(lJ
z_!O2!OT%b<rRZiyPZujM8wYVCS1%85PcMw^d~cWImbc=qeCYP5QugW4+w5-EvBh=T
z`-E@s^2FU{YFu5AxtC2Q%^6wla`%SI2jVgrWjK*CZiSRoILql0hWNc}V_H|Iy0kaB
zDO@;n>xAQbSm)S2%lZ~km%9~o&7X1wr83^^Gf)vWA2sH?#;07T_MBL$H{jEucfnGs
zCFthharbBY@osT|?QoKxbqgEJie<KS!+5%S&5rLsY?EJ|k#Y;|^zh_O8l_|8_bux!
zy>8eRMh0`!Kla`ipA?ZUXKa-NMSRFI7#3VvbkmfAIU~krz(KpJv51l#qfsVuq-Txe
zWrm<B$}^<0!flw&eaULsY>&vpCN=8%R*ovOTvm1T#E9Nz{?sEfoox@%)E!nmb~Cd?
z_oybHCe8l5j_FpHZ#&X^en)<j6;3<96${=c^bquG8N>!bw7;)J!K=}turU55o<GWG
z#wQZXD?$F+r|%9CnmvZ_;T#e<=Mb7@Ib_izi8xwpcG|^N^8V_OWjW(zV8Rx=Ci1U^
zn>og5rkRYdp4yXW;a<G%EuVkQo`mg;Myh>#q;1b0)PM3ax{cfIz@EnS#X671Pd-pG
zlOF7P6POpaFE1iD;K_xYvwZ`PI*NSvw+SZ71g2yNoy&;kJGPyvTH`3P3#GS)t0B}*
zejhTTW@4RTI6Kj2!zm-C+sOQX-x)#)%0?P?PutaHLmN!*(Tdo24>&b=eko7AGD2;X
zkrjUUk{%y9#m=Y+Ri+0aNEMZ<S6|<y*Uptp8CV~1(brTtvq`r&tShc`I<=02>yUwX
zca!=i=jzjBRE_U;9#%%?3R8GC?owPyoNZiVP}RM$a&!Iu;fzs4`<@Tf)7$r$jQ{Ek
z2&a`lID!s$<oH&%@Tfse_^2U<7J-HEzvP}5%py(@UseV3m#%#GfdtN@SfnV<2XS*g
zp!!=MNdM>qX;T<R<1CA>6!@u6+&+$84&3t}DYv7ir#Hr9Q7haXEAKe;pr1Q8&BBmT
z=OmOO+MObvJ4IQtM@5%WQSS*)=h~i)tf^|s8OlB{Uf9&??q}XHDM|y6NMrjSY>waU
zYV;wHl~oO0eO)-4{8N}<W}B9^4Qnag{#4ErpIAo4+;{4ommgHKCKa<LO}SZr==#?;
zy<hq+wCGUyF&o5FlH#r43_HPscq?$h99XvbA>c>wkK5r|RyS9RuK68%RnwE{=qHf}
zMCG<O23UTLA3M4!(~EUfm)elTvO_5^)4M@?u)lZuA_)tRsC8n!A9T90=GZ-2?}V!_
zUbC##MBW~u?zqz}duTULw`n`&h8IpJM{`=$VEPu8{KoR?oZW#hqb|A|3A>C$e|9<?
zq~u9qIb@O<S^v{`A)H?R;03B5S5dP*pd{>rg%c-1!Qj?K-19BXI6-omH9xGJ7WhC8
zXH6_p3g?5AIUlU}*$4b++!`AHMyx+LZKJCf#=`~oiQv|ifAoX|dNnMHZ-tLwcjr91
z6i1Xjx4xnuf>gI*J-N=VHGcvTfzYMv=+ii>k}h+~RB|H+-B;pLc6z?g_c2U79_nQf
zqTe83<awcKFRK!_li)r^DLyB&>hP~;@=-?oCNu&jClyZ)LN})DGl|rW3>q|AXxnG2
z97MT0K0lpBCR5Ey%yK+VS^0QY@LHB_u=k+}yd#`o2bdr42o9JH%Q`oJ|B@dX*Iu!q
zda&l`M2glq=`%ys>H24TNlk+MJL_^$+N)QeJ?itcs{g#f){Yw+jBTQr*l9y@AHrq9
zJ}0_XXa%qJ4J4!PNfO^V8SvOEvY@RiU8}BdnD%JKrt2y8UK8&k>@0%)__l3EP02@{
zV|`nGyVbC^$$NC<&}hYx19mb^`@$K27%hZT&5~q-cLp^C{a6kOLC_LgKrL5EGj4&G
zTZH_ve=}_eF0FsxDmUsGF0h$6Zg^Ov2+n4)b2cOW*=B-h{@Jw#u64F;7-u{28M_i#
zHT}tGOKoQ{gB2HE-}HXvT1@fO(;5@|{7t*G+)8{0oT>$k4r91K`J{NNyI=1Kz_6r!
zK0>0ae`<gsI*qBa*6$X_HuT^rp|%>-rTbO8lU?;;(k_0c&XcTc6=o)hZFw$LyDZ;q
zc;^yjPEl*5mwrFtl#9*eusW^Ji`R5Y{9GpL>Q=f}&GoXY@CLJoF)$C_V5?vjER!d0
zH2A^%<L<%;*JM{zxMmTT)qV<VY+d_~U27;pZ_CcHwj!-5o`PxO+tHGCmv2ll%Que>
z42BMono%1UGw893n2`4;`Esf59W#j>QqPsj96o*drTK~H-8%Qh#0El=i41+#$?fR~
zdPy1ZLSaO*xc<?Z5=HY8gRj%r*oNRs5~=sh*0_F^;rl*R2&a@K?$Q~R3NLkI<bt=r
zyOR9-+HLk&MMC&k#fRpBx$wVa`L+Th)DwXvZ8^V2TVNJ?hzw^I+;IuvGiMg!C7$P6
z@cmut$M5e_rZ6v>8|K8<F#pY$^`S9=Wc3GJ%5g>~70-!qwmv?nZ*9>OJ+>w2K^t?n
zU$)64*|00Msd`bqDi0Kkr3o^O8q}w^G@tGYy&G0=v@(<E^whCP(bolatE0rfio20j
z#*1kktJtm>L}I1bkmi!L;mT%rNrlP+t+iUtIV&=I;?9-x9cGu!Kt5*LG5TTd)Rrx5
zJv$1VDVSkKEW_M%^N%|sf^N-w#>%gmI<k$KFKY+V_C(S+_qUIhnt1qF9j2EhW4%mO
zV!t=jAy|%oIy!LL>Em6S>}fxr{t(+TG4+#mf);BV4wiGJGbCvu#za(OhCg#8T|b>^
ze6X-5epAV0zK68Z>5kfj9W9xjR2E~Wn|kyxeCI}<GnHBHuSkA!i_2#ITRAbo^H%fX
z5rdd<;t|4$=jfbxh<+9iI~q5g;OpuBw2+bdael?gXyJEpf=7}cT3bv|nTcsS*9V`;
z>xE_?;i2$2jMl$ax+d*;w=J#W!|;QMsN}NvG^ydE;#oFdQyr=woI9?&HikLcJGwY@
zEsK<2*{$6g@`W!pgeV9eHgDvTqTNQ-traPslvH_}e8i?$s_2=17Nz?Bi=$D4hlQRn
z_>{Z#>CrORwuoHgHhXt*ts9jaUQmv(J<Nv}6g#{MOFl0QES2a#uBs}T2w`3G3C9oT
z9d=JOJxegqPgUd?rmR}unbz^ZgKhIi<me9X!wCP<7}q{V3Z)gNqcbubTUg(<8ikg!
zS5)S^T=Lb^)-AIh?~4>*(ma6_@<-((AMQ9zai&Ji=aIr__<(Mgq2z(8CVJXSjI7#Q
zVk_E8gev5b<vgd78tJ%By4iTTYigR{cH6?e2H`Zbs7QW2EAvMsAb;~#^U6gG&rExW
zLEOV+PPwS%pWgpfuZydFF?|k-nI*U9O$v=SJ$&oSJosve`6}g6cUs*tgr~cL6rz3e
z)8hwyJB$xcWJhj%S!$b{@1p(8LLXtLP07f@&J&ZvSA^|*ijKQ>{&qrJc{nC%Z?T@<
z_~p2oV<S2fuGNFjNuH@mVRh`QIy(AmW8btG9J(2^=b`T|s;MEtimqw9U3h)!z}kN$
zJ^Fd+k-;RmA4mit0qWkT@QHmR<sV?v%gMd!rmnd+-}dtNw+>G2Knq9vuzY%Cy)ny<
zxVWy$I=@3YL!}mKq_Og~+S<JK{+<<<<iiseNmm8kBkCejweIyjw#j0>KHZ}!A*Lgh
zH0up3JFfJ`?JkbVRup*Ov@d`t{ooe*@U4<emF>4uCxj~w(8DScduP5e&MXyi`}()1
z<H;cC+h#MzWrACx{vg=-`H^OJe#EUt5ngjDL;NRHwhGMxGvRA!mUB>j?6_WGRWcVV
ziQe@LbWRoa5=HB9=n(~$6M95K$JuXFMk+qo$h<>Au_;UC+`00;z*F#PlA<TWyQz`8
zo*kKDh|s=LSu}Lj=+Ns2H3lz~8?jPC+dsV{A~MlRw$~4q3zi7V6;F>mw*NFukr?p_
zgAMZa+c>s8@`=9pG-}K7>u<6T{twK7i4`xj5?Yw^bv{0Iuxbuu3Jb4w7RyzxyWJ=1
z*~}(&|2D&6jEiUI+oqL}zjFA<%E)d#nO?K(FQVo;Zc(Yb3xi%|-|<5d-5Eb<{F3}8
zLzW1C)Kf;C=GNS;<)o>aCTZ@(Lmr*023@G7>W-ui34LtbYg%-5BU#(t>ap-dr4rfs
z{%W||YU0Pb&dmkF>EgGFWQL&MRLuyKU?FNTiOl>R>?gC6;GNk?@D}bNf|n;Tbn56i
zo4-9b_p4BUU%8k}TdD(I?^#jBbo8G1wxptDH5sRiI$NX9>Fzw+Z8juI+NVMKS+as8
zF8j*I^7xH#FTdvc5*L|cT=`#f^N2i@H<cw&Wwnh+KH4JEug#xuKK2RfZr}YEwZcg!
z@2<Um!b3ky=?<9-nL@^7-%4+R70LBq#Mwg)xl%Y!nLT@Tic?Uu1TRxu&k0OxKl^t^
zQ~c+tMTp~6Wg|Y=nvgMZThX@|j-a`V<B|*A%Gg@pk>y@|{i2%xZfS*m5lz*zYPXx8
zx_gh<OvpNk_rB_u$$RpN5#Ax%BZV5bYxpppd%kjjXi_WI$JMeXK3>MUrl4AEdysMJ
ztFHb8i_p=1D}yvq2A6j~RNdVh<y@UeuIixeHuK4@)4)k(cJKZEOd0M#y6X2YBfqut
zT_D8}DNY;(xCh5#0{NRcj8M&DqR6}b`9f@8d)FEbGsX&U@d<xri{i5Cs;0D7dk-Gn
z;Lf%NDG8T5v3a-L_8MyRNU-D&IN#H93hCL>z#?sCE}ylzekI)QA4i7HuycG+UFfww
z?yb_v<WxV_1N$^Obq7OvS2w_q&+ECZpj4&ZA0&2ys_t3u<;O-tHE#l{8dZa&mn#Y#
zfzO!BJ*d@*)Cr^>Pt&$e#)wu3#}2|?F$yWx-NcEfp9nnH&d#ACddTY^arFMV2PyjK
z@gN>(^ZVBGVh37RT{3x`r}U{(MYdwVq%BH4?UIn~1rF02&)J(pcJqkr;&gH!i9hHf
z9lm8>d0DPyZjiWS>bv&z;qtu8Crvn{v)0Y*)bE-gG`Zl^u#(UV$hlJ7kq|P*cz8Ox
zxkBpDfZ9#9bTv0M6E!(CUNsW6!8Ijo(%1N@xT|bd;Z%99{75-lIYil1dA%~T;-EsV
z!YKtu1qFo>`C54&*{!mCvQ)AYQoT~ya1v|<OTeR&FD28(W5mtG#l+vQZeATB>LQ93
z9TzDQNfR*;S|daz)GByJFicQakU_9eAW+~b?>642y#ICz0ssI2000000000000000
z0000000000000000N{U)@7HPuL98$q=?7yGU31rJuKf8rr-h*e3-9(=5agk$YxIYk
zh<?43`!Aba>}sjbMCLMzvmDShalb1Hd+Wzbsn2<n*K>O)UwZWB-j(gQbY7g1cKfWP
zP#ogdElF|dnvtzkrvl|!o!v57j|cR5J~^ATBlPlbwWqR;dFT4}=7f|`7d*A`DohF_
zb=v@G9hk@>_lKAmV*Jx?r9|&?9W)zBE>0|Ye5)j^e_$O^)kFN%Qo%`ZZ~`oezt&S2
z7R2&@zYj+IdrSsyaR1@!J{e}72@p}j6yHiwhy}4BL@<F1wh*Ix1BkX8<dUoOsjHM`
z1oLeh%H0^qRqIU8#~x^ym-#$u;`B6s1KSE|Wvq`&Aw$7lTgeHG`^`*$28pfbP7ECJ
zJX}H3@8INf>2{zk)a@Fsbv%A5n-o(&D%WNy<D1KqUsu~E+7G>w&+jAedk7=jwP-24
z7{_H|l=ZjlvYz_gM+4z>_;(7yUp~qTLBDMpQkc00?C)Af{cW$15G4PXwaDL&1V2^=
zh*0{<%w@6!16WYYj^p_?No6TjNCKVuKJl!E7;zJiFmB>GHaGFmFO(<IlJ3CzH9=*$
zaW9L`CwC@>I=DkpS+8XfLr0w7Z>ZvV62D1_`A$Bv7fpGLFIs#gQ>QGntj2XE$@qp9
z=OV_a^%+aU`{USRnwn&quSa~Y4D@&-`ankV{Be@f@kFV3HwB3_3eCcTjj#MS`EqeG
zz|Wm-n?x3z-_`BN|8Zn<#wzjc=5W$FktPAD=Vk|M@bk$Y*ll)5xY-0ZD`2?^1=Rd=
zSCA9o=ZWKnME27kPSL9iV03mh`KRBx5HblzQ=QGaEfeSb(1vGaYj(3zE;ZLfX_XS)
z0ab*Dy5spsF+oalRia_{?UAM<CNJ$w%`YC2w(l`-4rWLW$cpsU&JJB4S$|=(0ZCs^
zSi^aNHCb(O?L2&^hL0D$vZj|N6Oi2YFg&I-=n-A!CW5Iv2!csLcvG+~h>0Mapt4Bz
z3hFPDcz$*H(rb~6ba$a`=zp>e?SC$QXjvIBi#jK#OfSCZB2V-ipFrKbcl+~JyiKS2
zq|%{QV6;u;#C?zcVqf!VWwNC7=m;kMI*yi0M5tG-+6oo2Mj<4}J2JcdnDR`$z0{6<
zVtIdjinN*Uqm4?<p?sd>%w@rwbwd;r$8F2qM)$PT7?U|l6u#LmDJ*gOY*^g}c2P5^
zLe6X3&;Z^!uCVj$cyP|)fw{08zkIO&_>C8uHFnJ#1a=K2$f&1WY|Zd%$uBKreiyLz
z;%JbtOWM$pXVmL&L|YhM9XtAE_vd?8U7dKQw^-_~OCjH>A<Dh3^>&M5^Vqty7Z(hy
z*1U9}5jjTEU7^ZjbYDVmk6h~HONTpywgSqu3eUG}qO`J>CaFM9BT3Jo$gi^SVnri`
zLM|8+h#XoZIB5QGLLiuB#xaXzv!Irl%=2r&#Gh*jIAnn{xNwHXBH3`x2$^#R_404&
z{nZo8NrPF`63=pkNG3ea#d5!L4Wt;l0bSpCej6jR?_0kKgTX-Q0@|Vx(yPxOw;cI!
z>p@cHR>fSZM_1IoHf+xe!>W^c$`F$%^dG#Zjk%@q`2Aa{Rz=-+E(~|6Ix0HrQlt30
z5uDi?rU5VGoQ<d2`g+xLM2~iS<iDiwsFC-{I&{d1_qz0TdH;UgP{x<u&p}05H<eo-
zX?Gd7KmHWIGO@$fZ<9?|TrJf;v7OFwEd{K$IT{y~sm1~xyz($PQ!H56BhHN!e${1B
zKba<wbI)8Of%Q0Y?M|Cpxs1)tV_War-J`5GidT)j?Mc-W>=u%I*NCJ=E`v0LOJ8+!
zj*dKsvHvK2xMi%>n1$5AU$S}-1T%y1E}&fyy!9<Y0%w6mB3V$&59OJ0fz<NLkU#hA
zy9;=6J;Wk8aV`j(a{=WNmsN`<J}fT@W>Ftpm`IxZpiuacm*Rk@VV0eTnh@GfZxuJm
z6K<}J>tH&GsIYfp98@-~IUez)j)_+rQu(`{t~ij>oO+!)+9WkTQnWvOUzumf*a>(2
z@v}y|#W|-<tvU<&QY^mqpk$fPxL#n&aOYbU8+iQg&<iOdu`|AzCCt~Z_8du5*SRv*
zTVqA=c087a>x+MUF=aKeyU{oK1(vQ^(lLuS{H8&yE$hUDu|OBZl4t17<8w87%|%p#
zx0k>na(<t?KC2IWZv1$hzDvz^)oHHU6MCCPytnqz8>;3FqXlHU4%=9xX)4zn2OX$s
z9yqu<W<$fPrd5*--p!pPJsj^>aHuw$2b{@p_V4Cn?_bql#=w|*{fD3)1i`?d@AnLU
znaLGFjN%>^bBdx^{=6#v<GhMf)Y2k<77a_d8II)Ek2O@(Ycd~y?0jFu)0slD<fg2+
z_@UKtvLbwjWba`?uf*h**3`7xD*?u;2L0slC+*0TOQLCXH&DT^Wz?iri-g$`<*3o;
zKSv!bVBU6vi^DI@JmT8!oq9WZG6&QoX*SY)&i&fIa%Y71unS*N=Y_)jB#vFr)F)4e
z*Zeo`9X4XyFC&RPA0sJnEH~JajYpHYl5Z%dY<-mlC(nbJh*m81_@&O(^6DvxN|F_)
z?i$2xbu>h~mF?`?=ddmHRyX%l^YK0Af-O6Cv|4det7BY(xS!PQI)*TDHO^mY{`lBM
ziiUnl?R#6^ToXrkxSLq;k(vpG)H6VD*bIjvKO_a%El8Td?e^bJmMiAdcD~&~OmJh=
z5)*vpXETM_=qMSS_D;@ek9@IAn_pVu_HyI4#W-XBpW#t<9&RqUNqD!bn~&>K!lOQ9
zrL`W6Bck?pD|_%7!Ik5`!gPNt|M5dTNQv=SY;dPfq<xdVYoN3J-KnzUPYQ<4Pt|k;
z^zaMC?2mr*Quus_h)!>CeDt{_ud#Hin<v*YW=zCVZq9K?se8g|CA8J7*4s;i30WI{
zceh4XG*&DL9$?HzT~W%(xXa0-zth;PlW=&{+yMSd;Zd4jdV``IlHD)azHjh$&@Fzd
zJVl&We&SK}oz$22!xA$h^Q{h4VpDxz)1DprAo(T4ztXQu7JCR?bwHD3J1e)UPz*Aa
zFMCXBq^6>3bn=YJ>7iS?O1cjQ*&R%--Q3E0x~fNt`j8dt7o=9$Ykv)~_MZ5rY@=8%
z^UHRWI?;jaVt*JdgwxFug)$!>^<x8&2m~#;jl~0`2&n1L0a65tkU#ct-iZrRcV>FM
z<ZK_*l0$&z{mG2`Ot44>oIeBS{7JI>yJUa$;!;w57Byha<mmcxJ9L7ax4-gz4Xtw<
z9NoyD`Muxo&4<}beJ-q{AfDD%XS?rPwbg2OTRMXICN!)XGhP+fD^Af};M`xjqp<Cj
z(vvTHRArhxyNj+UW^8%%g|5<t-dj_D%bGi59=nVKWuA}4(^!gKiPm!q*qKp}y>NnQ
z&3Q`0oh~QGb`kmf`)lna(Orsk#6CBRa*G0wVnmKjdAYxKpT^3wvc+g}zh$pgpk$CM
zl$z?OYG&86Sf{@^|MP~JEf(v2`1VDcUh}*hL2YJ-rqe!aYPEy$zzIDMFW#}6>oQN&
z*}v!gXm|cnaOLArIlDYfp>WZfLllgCAKB}MY16Gn-wg=sJg#)$;ZB^-TtX1cc$!b0
zSeW2RFm?yElu)G^|L`wmL*)D!m2V*fzsXF2xFF~c2`#AQrL)ZRk#q4Dk>4^nzB`O!
zHcXcU=P<W9hy5J>{a5#)Gol$_I(!WU{!7d{jEC3a>vkGM|300`i=x62*Gg63{5vOj
z4ws9|2Pf4(vB-EWFL^en(*NAE;r?fw#L-_Q?q0X*I6O@MvBr&}Mfvz8WpX9APahd3
z>)P9P<{}KLJ+`xuuP!SUk?Xt=sy_UFy=H$V*4?Kv#M@Q{V|c+SA^a#wdCWt;>nDz+
zbPldYu-~6L{XY<+;aN0#5#h8`)>L0O{w!l@^C6qdZ{Hv4BncJo^D3#Hr03mY`#2fZ
z(;clpxk4^uAlm*T+rGj+#Z4Qr2N+zt%0uha8#oIlwCfrn>U4(#pE9kjrK3{B9BEG#
z5D_CU<!!#Q!erMeolME~sM01<D&Me&0e9R&wwI>(Jmgf0N=##((dz8p!s$$NR%Q@R
z4!^Y*176)fRm?bzU=iv!s+bWj^KV{55_p4|?b#QL;z0f;*kgWD_!h}9W5PeAJD~n_
zHj5OWY%|ju>$lbj4xYd-zy8~Qm;nF)00000000000000000000000000000000000
f000000000000000000000000000000!1VtCRqn<g
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@@ -35,16 +35,17 @@ const BadCertHost sBadCertHosts[] =
   { "untrusted.example.com", "localhostAndExampleCom" },
   { "untrustedissuer.example.com", "untrustedissuer" },
   { "mismatch-expired.example.com", "mismatch-expired" },
   { "mismatch-untrusted.example.com", "mismatch-untrusted" },
   { "untrusted-expired.example.com", "untrusted-expired" },
   { "md5signature-expired.example.com", "md5signature-expired" },
   { "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" },
   { "inadequatekeyusage.example.com", "inadequatekeyusage" },
+  { "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
   { nullptr, nullptr }
 };
 
 int32_t
 DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
                   uint32_t aSrvNameArrSize, void *aArg)
 {
   const BadCertHost *host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
index 7e6f9654dabd2a6220f7cecccda64a707059f9cc..26982feb98235d870402b6be7f3e4f9e4ba5989b
GIT binary patch
literal 527
zc$_n6V&XPvVk}v}%*4pV#K>sC%f_kI=F#?@mywZ`mBB#BP{4qXjX9KsS(rT}wYWsV
z+0j5woY&CAz{t?p$k@oh*eFVz*94hsAY~|FAO_LH57y(Fm!g}RSCUy$Y0x+y*#<^d
z2Ij_I27|^<rp88w>zOVVQZwZx+5C1dF<gDLX&u+KPi@^660`hR)ThZD<ms_I<0&3#
zVR?DE&9Y_tpViDWn9sKD#;0sPrr2BE|Aad|HXh#gep6`c%QMG=?pj}LGE$HD`j&+y
z+-+uhV53>1UhP`l#XS@2=kssVW}Ow}Zhk&kHuzF`-^rW3{?m59TG`CR%*epFIMX2A
zKpE(ISwR*V1F0s?oc!d(oQ(Y9k|tg)z0``t+=84`z2y8{10yyLZ8l&au`@EVs2Qjj
zD8cv!jBR2WB_#z``ucFqRu%>p2Koj(AcKV&8UM2|88D!QH8U^>rXRZNHub9bX0OjT
zGZL@Vh_!c|%F$kHeeU2ht>P=vMyC%7cctbQKYVjpgrUm1<BLeoV?UFp(JOyx#d+oT
z&dJ_d`(ovhN+y;gKbylIaPAXcuBp;{Q`GCqwY35J+2^>1FDPJrU-VGwT`r%|x$Zgd
Y)jwY>i`uryljBa=vF{zzt#+CM01jffQvd(}
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ -140,10 +140,11 @@ make_EE untrustedissuer 'CN=Test End-ent
 
 make_EE mismatch-expired 'CN=Mismatch-Expired Test End-entity' testCA "doesntmatch.example.com" "-w -400"
 make_EE mismatch-untrusted 'CN=Mismatch-Untrusted Test End-entity' otherCA "doesntmatch.example.com"
 make_EE untrusted-expired 'CN=Untrusted-Expired Test End-entity' otherCA "untrusted-expired.example.com" "-w -400"
 make_EE mismatch-untrusted-expired 'CN=Mismatch-Untrusted-Expired Test End-entity' otherCA "doesntmatch.example.com" "-w -400"
 NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature-expired 'CN=Test MD5Signature-Expired End-entity' testCA "md5signature-expired.example.com" "-Z MD5" "-w -400"
 
 make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
+make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
 
 cleanup
index 6793d58fa6a354fe7a401c4fa9dd6f85d82975fb..f99e2f218956c4f7c6d119930a51903582f10e0e
GIT binary patch
literal 49152
zc%1CqWo#tfmM&;BGrP)VC^IuNvt4Gk%goHo%*@POW@ct)W@hGl`gUnFAbpyVy6>4Q
z<s)q=BY#9jO8F}G%B5I95a_x<KtLcsKwz^#KuG_32?PfO1Pt__3kd383-s>+<lprl
z$6)_j*#Gf<qLt?!(0>B?yFh{d7lQ)+U;T*y0000000000000000RMY|0P;Z`g_D3w
zfJTGXhLD2Lh5-3j&5r;|2Kog60Pq(m5HJv(A4nA)83ZgvkXX<YJTM$MFen{17}|xi
z6DP(*JoO^^TxPz9K<6XI<r@evFqj{Rk4;!14>}nv+S<U|_cGD7d@(-~q-F2~`sKcS
z5ALreT8-JKqNc1ljZpc$7)YqmOWvJF4JZAv4SJS=Mti$J-eaAVq6;IgBD*>Pw(`A<
zMVRxqHZeb6R8jXl>{yKwYM{2WtvarCq|rIUJtzvatAxqJLqmbWp0TEUXlZkoZHsvb
z*eHbj2P4&H)yxbGLbe5!qB1S-{#3#J?ov?Tnp2xy=%hn76k5L*PrK)eAW>x~(-}nk
z%FJ-ZDy&t@7llh0<RaO1YGIR3gz1q8QmLNTxKJ8RCYEBK@Uz{ON8^DFkArz5j4fhK
z<2<j)7`oR0OgtH8j_=w%=#aK<g|n?Ozh^Y>(9QL>=ufj1Oe?lQil}*40(KwzMDC*k
zT1hx%=RO1U>cYc#P_rZ>U`8`m@@zR)P>oT0g0o!Z;tGdJE#-?UqDKs1*c+)uw}SHe
zp@74rFx=wejp%mV`|{w0rQt{uQcDqjzf%kJzo-d3j&RUT&PME$$Skdua(Gy~v1Y3Z
zc*uwv>+h?1Gqe}yrmD%VtM_$(kLMY}ci7(LBkv=X4%ljqPOh1;qsJRgWsoN@$#o?N
z)Ex1*Be*&!$_AA&GCBA*9l~p-idhoZ@#J;Vc)iL4u6@nzEDXWVw$f~ah~R=mk>?WH
zJZ3aeaW?Qf>qe<@&J=g}j|6_ug~Ar5Zzb3rg;R3ieaTFM1|M(6&tAluCpXGFg&Up|
z;m4ak#1E*C(~YH>T%Lo(*%g{*ItJ*n@2^puwpM79NGPb~hTK=uX}9f=aKp}27;>#(
zz`NNQf&9Y-8hsMq+YaQQ@}e2p*HFVX@)j@3S%fynv)(Bhj%^gF7a=>=^lIb+K=|~r
zGX;$n>)wDvfhCc*4*B!A@|m*KX~lmae}K2*pb$Qf8DbFF@pS+JAIZDluQjM2U~}M`
zk$9mq5SnQWhJ57KfhrNHAQG!&vS(fbwSO8Hg7Jo5%FpPC8JBYTgW8y`Wfwy+4Pt|1
zCB<`cCKdY%U@6c!2EGAO14s=ZHUEXF>3k~+e-4+z8YG=H5cltUO!bN?`J0-j3fj$V
z{5~>i#?cdJhbqW=%iL-RZ&jYQi!&iJiK5R#HPd%V(S`@y@C{A*oG^(=EB?qzxC7f_
zSiH2ummKi?Aa)^DL-$GJY4p&mQz2}=Qdfm7x=~;RIqDWMcZR}gWUY;r={{4?rEGN2
z5ckC|Nxs9S)qA#!Uth7EKej{O>mfv_y4hn@8G-~-1*GPsZCw02(lXCm?11}?RT44g
zB3n`ArPrrrDSALlHW$%4VyMZjFz_C})$#@sb{9%B#?6{LHeNDUGA-H$A(3|qZBOup
zLrnrz0%e$(v<^-Bd~|Z77H>LYdsV9}>P_9UCc`+y7b+{4&c>x0uhvB2tJ#Rqz9OVE
zDT0wJw5@Ci$ab(nfD-AM256EVHx~FPkmqtaj&Q}1m<FNv9*r^Mm)-KOJ7_I4fS0-N
zp@w~CUc01zw@N&UhD0RP2|2tP-*NJ!mX>uDm#ibD0!bZ^y-`&GWv<wdU62<{q#<4W
ze7utkiiD6jTl_Fmx+^CBG)t(-H^I`12qi*==~Z%Cej1}SG2;X0e<t)qhe5dfLn1F$
z+-VWGw^PIe(jRcSO{M#VZLNfzxXl*3ope@%P*MfHy`1~Au6fU)K~%hW@ra%;h)gPA
z;`He9iOEf@2DIjnpzf6njcnG7rf~(_6~_Si2nKUY-4pO9lgu7wc-vLcg%6qh4RSOU
zqL=KyF0((c824PF1jcLUirstmyTx_hA32+9)zY^-CwwW679?Nxt$;|)K0*))OQ{w{
z?L0LXjE4`sliW5Wye$SnV$dONA6wB3)1aISP(97{47(F#`y20fts_hZQQYHixF|$w
z-^`4UVmc8-1Ci)kn;Y7suF(Vxn?F~ERE+DSv_!01T+Yk}iIu_(@gJPi?fGol_T3G!
za-PE>B;~TsP@{4%`bJ&5e<;vjW|6KBfmV$Tn5SCF(LwGKVeDjLfA7^$NnWqE9MJlG
zDtciVsSPu#B$Gdum}RN|e#?jCym5leL4>Em$EPb<t1VMH@DHiUaVOn1A#2sm;ogj8
z@T~2eHB8g|o0?JX%?w-(zQiSjpTTG9XzLK|Kf0I+v^mZvJ^5%%J2Kvt`UNt+5!2NU
zXL;2}ESI71z+El*2^ihkAOtFg!NNr}Co4T<Eg*uC2_e#hGk7^m*(buL6iyJYc|S-Y
zEV7NzOFHJH&pfho)1d{4Q`16@e@2cZD8-wdK&<pD(>k|4oBUKB_nS~Ho_4iTap0Nc
zpgb&?vi&?3JGD(|&1U>U=x8Ar1oIYd$EvDwXsRnXzs^^RnxT%WdI9JEQqd_58<q$#
zS8*f6(?y3<;*rQZxNQdFU{$lA)i!)D|0PyX;4)>WZYUN^*<Ya$LtT?XR7i7obojGQ
zHytJ^Tr#AXo|^`XwlzC_3OvJ_;%V{)p+gd{(7&Q1RKJ(V(V(RHVbH_kj7h`ETbqNv
zg|3iIYw|3IKmPU|T{+13g&Wb`_kNc*%B$qTL}i|DoR2c%OfNtZF5T{MQ7Idmm`PGY
z83ufkgGk#M_SNpR|4HnI*V_BS0tEBQkUj=eYV0_RYJ9vM1c3_YF{Mp)3dlkh!IR`Q
z8I$iDD{NP{XgK<P!_4&d%%th<se3_Ij`*sM{oo8A#ar-uf^NIQhgwginRw_m_V~{k
zG+ay;Ug0;YgK)Lgw|bMB`Bt}*GJ-_R`%x8aWLt=a2_TpQk)ax2rc>qAq1|BlL}@JZ
zW$1UcN8o(3Sn$&gKTSv&xo_X0wL3y}?T9ZmrPO!w9)u)lBDlqYmsNcqy+#;^$Pc6R
z3_-}cY7b`|e4(~pIyZj!{E~;8&6}Ofd{BuC59g#siie*e?Z;}(I6eKt<+T__>Fu!=
zmJSQ6Z>vt_lxzoLQn1rWj8~~J3lW}Pt=Q;!^+cS?H;%^{uawDNM2@?-<S(bEGZ*zF
z>p8xTS?XG<@(y)tg`m#YSjSBO6z7NNsTg@Fhw@wdYd2^(xIU(@5G?yMHiF`$ev&GZ
z`h(gUsxN_3B(_(T-4jBWeLBaoShPmkhL)|bUPM5|q8zqxKfb7oFbs#e0AvY6?eQib
z=KoUvZ-SG70%QGW{r~U&X957=|3CiW?qcdG@EM>l^P)eOL=}Vxnenmty7%|)(&0EN
zh~n!n5R`8V|I<*mj*BC9w%p0cjaXzU(attH^WmNX_(ouzNXRfI5la_+Qi}&Xy^jEm
zkI_49(tjSPm()jOCY+<v9iN|%dBi|^-@{Hd*j7#8s2Hz9O#Fh(;mJ;(kuVN}AOh{;
zgUxx;*D9o=9Vg43>TKw(BuyTT!s82aAR*>^RWFO(JKuf?m=jwM*mc18G5L&4hghWu
zt854Jbx#}SQ{RrdPnOedG7=u+yjoB~jku<vyd^VVbcJy2lyQoWj*zRV8#`(;G4DAt
z8X3z}l4y|jH$HOuR_nYy&hKRBW?OTZuw%;`KO*hEPw?cssT~CSQCf?yDgJQ=GjKv3
zW-2J>;c>u^dAzC8-JH5%>`X#;a!?A=d-&Oe&GTKP>WZMlWyBfk<(L~vU{)6z%7mPt
zPr-@CQsgn=^z)=BzvGerB66q%hK2YEEq5Y;<IEZDH*Vr3E=$$`CzC_$;qoQ|WY9yS
z#drLmS0y5R0=?&P<t)wDD1kJ>FNdygKRs=SB!UDs>Jb%}gyOopji2B7ij}*5jIHs5
z3;I+&^&yMYs-NPjNh*#V`wt2je8MYWgWYq0=2_9Xva1heeYCR7Aj%8hhWXj!#B26G
zzJG3o?oiNb)I$>5Z}W@VLB~I?sVMAiTyqI}Y4Ej14XXy1Yyw$c;$X7>oZ_AQab-&g
z;h;Rdlg>@G#gX()yh{(~sV|PH>tfy}t`p@}h*oZ3`jH_4L3o9^+d38vtJ)oOOw5Ls
z)(9?f-<@^L`i3S(#wkP{S15hnxW?k~u8J<u9-5S!BJV8FvfN3q$c-D81eII^s3cWn
zAb@uJ3B5<nsi|g&g)TL7v-danBeWR}b&F*<UbSm~FB7dyL*=ESeR~yDa>??1V>@3n
zB!9N!9j)`xBvX!}TP{DFrx09vGnNJr%3ZQr!lyo*D=N)UrK8xi0HY()lNpJ;XcQRh
zT?RQi6iD)WBE|uWmc*=Q;oivU&Xl;$G@t%&-AbUQVC|}h1)KbTNR8%l!7`bOO>b{3
z$I6ppev<twOz_{-;7KhaYe^JC^Qy`!^Sox?lb*!$yf<^o+i94Xpbh{2ae}mGUjFP$
zkTd0bs@%PjPO2!|(hDEo4vFSh`rTEw0oOS$`)l9qPamha3lM)yhQ)>B5~LfQBUW<D
zw9=n_p-N6!c;C?pE7`M(4@g?-uCAN$`cvSn4zcv}DYu~Bo%1WnH<B~4R8MMV(wLXf
z$F%{V@@*f*4L0LqO$vi+Z$y7(N1$>f|67tLhC7(rvr_9FQS3j~UfZ&Luw<!Qf6Q#{
zOhJl~O+p~I8{{0v18Ig%J7srssI7iueZLil7<q$tl${jTWVfaj!(D3x27<3~&rgP~
zWkW~lFFAXP|CwLv3gf4$KBeIpo#?1I6Ym{io$1e<l$y(+{)<EJ-0}?<;rcQgcwj~`
z`|F?^cw?+%w05$T_;I3`Usr#;CUTcV#q(XW{$zOaSxXWt?mdqn4IA{L=~xzXB(;Mw
z1-!Y9_P4um2tisu@Gzd+g1fA>Gd<GK1q{~r=glj{FO85{1l1+)lIEGtFqJ=yoR4X-
zzX#aW!f7IMpQg!jz!g0m&57{^`6M@RVZ>?Nx_xi|^~*--U;Ig{hSy9l?dvxV#R7jD
z15$n)t>}(?ih1Mm?6&0~;0B6%d+0jb6Nko|f|^Yb@GAI~^;DAtzFqUt*C)_==yBDd
z`U9r!vHyl9lnBM?JPnq&f{7_=54pM;R)~)bv|6rbOBZSh#x%ixLCnyFL>KrYS9{5G
zWzg(6@|M`azARaxPA8BbCd@DDR1<9hieWViE`wKyQ`9P(TE|vvbdvfMsHMO1Saw*{
zXhWr8B6=NX4AQuq*ti+*3cF&iET>U<<zW?^$SPvBoD|~Ct|$)w*vbRusvW3JyhH&V
z)8*XtP5#n@u^y@M9<p|AX(9ZkdpxD^7kefAYz^<nv}$#*A0L!G6F3Chk^hL8VK@KM
z^*O^LyX1u>>M;CP@6KdKB+(u)ZYjUI`*ysA^5^>D0j~r_%+?)I72E90&t*aSfV68#
zl*#IUNDZ9Ok((<Lm@6OTD(SuVujkdmij}{qVPRY*2{~vu+H|<5M5zelRl28am0QAp
zzp*?bD+sIL!x(8VW}}Ve6eWGlskn@Qxs!u4|8*_|bo3g&nDic+Pz(A>AQf!6(O=f7
zr+PD$;W*)a*mabxJ1SVOr0PV~YbN1#YwWQI=i#g*{-Qs*D5uO8$!2{0NVqJ15s8pn
zCX|hGKPzbTy2$6GRajyn*1?uylc1FJ1#kIev;QaNJ!yh$7rCxC8@1|@o$j^%dVSNV
ztuM&<GHJsn_5Nx)Tcd1Pmm-g+W`p^nx`Z*lmYdjwm2vJtcF<nAP!BpX%<T}%6NtGj
zIU-6THgW3SLZ=ut)tPc60HN~ya1NQPtId0&saC(02qi{?X%BSTH|$1EUhsNw#@y8*
zR5Sn^h=8A}4rL>waR($;q6a0Qa5QDu=8>;0nwL8zdl0+zb?BQ|Q8NARW=T4h!u+=c
z@0n4gacY6fElmyU3_*m$H;>TAj0r#TzEAPQMN&oPO*}`9HJG$Q4z(S}KDbOvRn7#{
z6tFh|n$VzP8tg-D__acsvV8BC)SkQ#Ep1iK0lF}7d&b4Od1e!*Ad5uCAs;h^W=y_~
zOTi`F9d1*?5{F}ORS-@o$4ha9d>o+TxM|YpAnR&f<&|lU(8X#J@>ytX2a#rfwe>Q{
z`Q8J9CbEE5Pf-3il3i8;7cz&B?^QOZtE;-aC2iOGYAJH3xS?C0=KF%SaNcRRG>d=Q
zcz}G^BHhM~1GgQHJ*O$rnP}<8gXiV=V1z1p<7Z;Bb><Om_Bgg?1~+KZ;;E+~(e%!6
zb##yCc`FFXF&0;Swi5^}l#6;=S0sNT&Y7fLfKoqmayOI6nOgvr5?wD82wZiBfZ)r;
zDYDDVX}>I4jFH=0z|gjIGE-9rQpGcq6DmSo(~&qNr!FjJ<c!w1D|5>qLDM~mMWk0z
z<RG_$`kpZHGEk8R8-bPcqSUQ{`qyJBwB!A7jn@usGS`$*+b=xhr9~7+e6IXBLemU&
zytO23+$n3QOZlO-%J-ffGV~9r8Axl&S<OxD&9VH%gE&{II^@2?`J0-ZPSFZ9Bb++?
zvV3_?4BHY&5?GgO8wh#=cWANohV$C*;n|p)udQQ)1&f*5%<C<afmB%$Jj*@xJ3eRv
zSQO&G=}PBh=TzX52eP&i2IEH~UMO`5kiR30oQBw;2^_XWjSl0F-LR>3Ao|XqMf!G;
zmN-~MCb;0)7I(#Dk`I3ySDtC$u>a!N@?b(veI-t-a#&D0H>K#`EDMOXB?2K`i2vq3
z2lZ3^&dhwkHnvlS%(o0x3#I8bu9Ao`>C})$0`-vDV6^(2`vI*1WZ;H=N98=!36%Ey
z-t~rcW<k@iXqf;c?A_TkFb>VjN*@NsI0l%2(PsrizRALk-kp<SQxz(oX~<hEE!IMx
zz9Z6BA49Z16<lqV2n;l|%RsI9Cl@@gC80TT1CNd}*W#md%j|lZg#`i5z;#7RiDk5d
zoRDkn+ZBGzL`syBQQl>m!M0l9;QaB*{<{)L#GHMFmBH`nbPC2uxn+L&bzsb(7(To@
z?MWHsY;y?%F^q}#0D0thJAv1#w+Jn1ej@#&b^?V9S<9v6oK5QL0h8X#r7f}mg_`Bc
zS<?tqL-ms;$9Bs>3qmBZZ&-W3iI!Z4Jc_KIB@f&dT@HPIe`E#AAY~x)w+3BB6C<=(
zRSuP9^LC7|6?~ZzCcYwMy=3*9#;I=G#T#r))p>po=WoegaGm@knQ&t->Xll2ns<v~
z|25;SQ1JoM_R9<8Ek%M)o5lM{A)nQ)J_g2S1{8A^;nzn(EH|ZJC@EC(y@NjSVJ}#4
z;LBwapW58id@cj=)$i{oB^6R9Y1@p645s*WK>DIUtQf|tp_e{lEgZyc$|X<96g8pq
z{(lmq2x*_q8_E!YkGv$_D=5f9n_9W(>iW|N!n&wgeN(2EbqY>cY4gha+=^Cjk5+NP
zqh4u-+jO_WZc*-rtYH>7ld3qOIjkS<P~Rsv*EK7F<p=Flv7o6sTFF^<%7XZAuZ4t<
z3jJ)H`vM#dxC|A`%o0OlAiAO_2;0)a(|0bZfN{n?vp@dbja2{u000000000000000
zfd6(N|Fi$!4L1t+@4gZM0000000000004mhxBj93U(}*_xr1vgJv2V+hRV0Fc3dM)
z`?vpZDzC8YH&x}u0q)U$tq<&OLrohw-c`k6gAzpf@=(t+n0vGGo0!4j?m38FvG<hM
zcuN46G4qrTjfLv+QdyAN_`cWr50!;w^A6^>82Z8%28srOD&5W2x5b+g$!|AlnT`~2
z#v;mJNHhgl0T(V21*0t(Ptsedor9QaOc5sJc(2)NPq!6ZgPB8o8z`an`ST8eO&q72
z+JcP~7psga*ABJ@sm<0)55FdN<<=N{B9g}x6^Q17I!d5H3IoWDWo+4AkNrpER4yM<
zM{sBU#7|mK>BHR$BNRxd+6z@#*?A#wBABF>AV%gpqDE@mD%h&3oNA=$b%xl7V;g4%
z!(3omWX)r9V+PSVxm3fa%KfrJ;sGtuz4T}*Td@J{U@-qYUm(nnKO5<g3lr7~P#1xg
z^*Z<zkfmZUq?8I9!WMyx_e6v}TQ?`(=8{DZ``QotsVP<tgdu>7T}XlgnqrA-kW37Y
zMqNm(4s61GR7u-YPc+WG)mi3~4&g0jEe7>U*bD1D4o$Ihvq~T`0q$=^j{_u6S79eI
zx5*#8tvV>|&1S@8xn?HjfD~PjO7E%Uoo<FDFDS|MaKWkb<zJr4%UEgN`A3?I5C5n$
z#AI9MO}nJ+djN*vA8jRF+cwwhq^i%-{@JblKXhB+J6@m^2w7_(y#&sK1rVr6sN$zm
z?vZO*Rg!P^p{dwaKw>>qp83@+b|}t>$n3adnkIa=86l&pgZ^3Sse2$@kHR7d#qqet
z@O>nwMMZqZt6M_a-|3^IIv`{a^4Vwy`ZV)Wt638;8zf;ZQ*O}QGV9l}`kX+V26bo~
z(au5OC%^d=kA<_H7&k70Ma=m-Ms0f}${Ni<e>6z{ctQNaP_E6gP1dn#7Ca|(8?sGQ
zMOWfJv}H8N^OsxRj#|gJ_OYE2YL=LN$sFg<V7%Nt^{5W^st&DmUoI=pJ3O1+YIN~l
zCrM`VNG~8QDu^PCRmB+Oj{(^QmEpmg4l-i(0tp>@6I2Yr0ee>bRKn;1se=G|K-@vp
zMJ$J-gmZ+}hjxVCfu)2-hNgu6cjp-Z00000007|M?jH&a(5FauNV2%IRot+J`@Nq;
zsmWlNe+!I_Be}|W8Vj|uNue-#d7W)FhM2m4I1{W**d7vFFV_t)PY?rzT|?K%X4c;`
z!EbQJ9};>?l^ZZ>-b|{-b+O&7{mF!uy%-F;5+!jjUf0RnuxETFeEp@e&V9+lCo1Xh
zK2}4wbR8vH9NQ{rNU4T;{g6SWtU8q5;G(ySx=6Cq?+-4tYyWbs0KKpWYd@|!!fWET
z!F76`Sl8_#=O$j;V{RL+^&*EWiCsm?T1fEhe<>u$JGnr8ms{ti^sGTh&!rcLDqS)M
zBz-~$)sk0~d=UCjgA(_-`*SDJZ)p$fKH2jHTTBCnN3K79E9n?Y?N0RM<Fj9%F{FAy
z37()cSO8+j8XKNN_$JG9ai(+76bZ#K6@w4kH`ST1)^9}0;B#of=Jlbg2)?C1#ARLL
z*HN%5it!ipw#Zn4ykDyQfUg)g62U7!Xui%e0>YU1gQKRPbW-|``W>ISnSVocil}(}
zT)E5#mZbf!pMGoQ*9-&KK8W87OCsCMb8v@%iGn+^D(}CB%O-tSsSP=|x%;{oNVjMv
z^#b2dX;D%zEh}wzP*BAV`UV^bf#7^=O17sL>CQ{XThjW+*$ynj6X@63brlyE2(v|n
zHzQkNM#JgO8|$2-Xy!N~b~)5EFTbpA6w=^{VB9krWy6B}IGqZI<oh}TM?n0&$lWy#
z+>n02Sec6&?53e1Tj*pS8XErrZQ+O>vz`F5!jX4ktc$6{K|En7kgEmnx}P^nBmgJ)
z{bqra1nF)bv06LaU*A^luo1)(Xiw7>m?-|KgDrf{ZWg|jIn>C`s;Y1C$u{RTk3dy~
zfadwVc9^^yH^0Z}cfKhR^-Z`7!$Uz56Xsf<VatL~*%%DOawBwZHmpNIta_b>?H@II
z`3vE)ZJ%460QHj3-Gj*U4ytqNMMC<2eM_9LpdK7+y}0H{F)y<Ap9Jwe7&BD$g-+j@
zax6f)EQi}IZ@@d4IO&q%;$ayWLa?%1P!pU4q8F($EH~$@*~)Ue(@d}FBx1dOPc2Yb
z4)-F@KU9)16r6g=bCGF3Dibyla!&HDfpZ+VKLlR*GH|!h&-=dEta|@LYL1Bf!9Zo{
z*cM^G&EWtS<JG{Smi|r6S;GTs*kkiK1(}jH0llHxX@%|6kb$4Fbn{WZG*Q4Cn1fZ8
zXW0FKo8FoQH{(IpkqMcT4kxy~Vh-!64IHP^BRgm);*!I!+Qrl9@VM8v%SVZqj5Ay%
z|1i5{&?~Clv2sVRM?2F{T;=Bt-U4#qJ5kR}MZ6v5?YMH*?XlUWM2gdaSFqu_Fgx>A
zvgh@wx4`k{tcwJat^BNc^UN~0badwNOMyAm5Y+rs5yA;50kxKtmEtX07q2d{T0EVY
zS`sqH`4HDj`}hvKu*6RP(reEI^|EC_^HyZEC&rynD=T<kbA01<nBuTR>C-2|m-Ka}
z$X5ua-3Fi+wjK@mTs0n<?VKtB&&8KJXWupx*f-8q?R~hguK}G|r`kqro=h;qcapWR
zP$-a)T{3H{piHVfg6SkJy36_}c&nfuvCz1mB#hSIk?~NQ;c&||72VeLb!05OrzTcB
zmH!;d)4>rWheYwKKQK2)z8;bhk7o&-@*ESP6vRlKvvh&}_<7r(J6}vU4xj(LL@ASb
zgOzyO;eUsm?_pAQlwkGE9hja7;m?w32#1$k=v_SZ6WM8Sa%wnH@28){b-;yE`tOj5
z!8$u*`+MMdHtaX|b|dLo`oPE$_Sm;+#|pJrM*dd6fgEblmpi=dlF?jYDgT9wk0KK5
zxJw$}8s%1Sm9@_n90m?vq<xOlmv#617fEiTFi_@BcvsWjEge-cXbQ32xU*dhL7p-a
zgH3|NEN0I31_;OSrX&&<o=aN84lrHX)9NJ``k-hiaMrCUiuVM|K*x1bx$bu@{K0}=
zG2<m>)a41t*9xL2=Y5`h*|Ah)vO5bz0=Q%<!MUc$fLwu|6H9pqPwMYl-sv<?w#koJ
z%q^LtciZ`5U(Uo9?rfUVn3MU1L8MfNt14$;Id=3vzV&yMK{}}N!JhGb$H&cZXPoEO
z`bj>{;1*Kk85rYu2`Mh-@0nMRFy?DFlXc;R|18<sxdbzb3e!6f3KH45RX7%)F)&Mr
z8cT*Sh#eT?7PjZ;VdquN?Oh~k=W$Y(zh-P<t*2{2ZLe$L0QP@8{~rXM0R11&{{!a#
z0Ra5p{lm@Ymq{2dC5}_6pxL&NVKT9VegG}s-<!`Ot<l1QqC0G3TA^`r*T4*6?&%CR
z)Jn08Zch9&GlIknF1_j#<wAIdGQIMUw52}W1Iy9tcgkMB!FzYKlUxZwLXUar`f0Iw
z@ax`oW-_d-LOeH2-U#w*cfFB`tzNf}*ulzh2bQA4^hpuJKL6jYIhXhQ$tj50b1j?q
zlVtKILqg~Sv1Ut5O+Ow+Hyh??&g<3b!Q|M?e#Hd7RE3*6heHz9xou}sn<{`;3LjsF
z5*t{5x{J@Lm8hAIY2bgjJmQNFwwPk=c4#}qDlFih*PK^tQ$4yef|?Yv#lo`^(MU={
zJE>=wBJch*`9)~g1c^dMi57UY2~4C*<d4_!J{!Q-gdQUaBnNJ}lOsgklj-@RNBgE1
zJgM%Mt)U(^D00ZbSc<4)+z^|4yjqnMC-zuc(zq{}FB*Cez4x+zqig|4k$)m`UuSJ~
z|68AaZm2_McK7D9ca}I?CZ7VRvm$n3tn*GHSon_Gue8D9x<8v-CZGhf4}PB+y?lfh
z-{!JBI9g6*Z<?HDm*a=3f}n3na(;m}>Z^~d=6F}dRo3?8)Uw-_pxsLuyXYau5MLaH
zC~obA@`H>H>!EMqv%q$sVRziIt2fR~B}((D&6{Rtrz0-0kT2f!*?2=*A5}-yj&2GW
zpFOp)+=eX*uSSGip;b)UJ64f-45gP2Xl!1RvE^`ya{CZZ?YtdJ2w_jHUKhhwbq4@v
z#eH9d@S#Uc%NcQ7dUXR!ngAnKi^6nHQ;Fql?tM4F*uQYdrPSU{vTWg|+H&>%L-!fi
zc*A^M8CxS>64quMYUg8;_zD$pjlLNFtINS8+4o7?h@BhepbH$wY4#MZAt37YtuQ%9
zqU~~(RVJu3oB+lyj9#v(l_zIy&j5*iBE%m!GPNTihv7Dcx>)}s!(?#0C`nQv8Z*i<
zsyRpii@~*{+nk@ZVM8>4jU-Ha29E(r0e(*;f;A<juLt^GznP(NRjwG0&%5F=@-mEc
z8P&PV`cMW5b98~c318!)Lcki{`X5q5^`qatgjGt(inz03XX_iDWOV(--_#hYmT$_t
z?hkn<Ba}<gf};*BQ0}(`U^q66SlFXEC1{b>N<jpd8(h@raB(P6)cAjGvMb@6Oi}(R
ztz-JOxkKbAx+u$C?yJ4ZX>`@YsJgUh#5SiC7>mBwXw#on=^#<kBD;~{1|oDG!G!tS
z>@e=^k$QhK60Gd!E9S2JhCJ>ZwP5!pZ;(s8rOz=A`9iY@8fl;B!>fBAG{0s1q&h^Y
zG#Z2ks$$bI+fe^U&ZbNdtk0gVz=E|jEWU)aoR_V@Kt*{`blIYf!8RZKFHw>wpBo*U
zKm>{>HM79qsmZP83M};!ELZQ!T9Brru8M1*zODjo7z4e~<EY0f;im1i3FK3a8$wSj
zvl>l7xLsVrGxNseavzH%l_uLrS7<6_s+7+K+Fm9^yIPy_mpoU`<L?b%-0Hb?x<z=T
z5`3JZa1t6ayd*MeHPsMEOi-FOp|loO9N=qWM9y%)x@e^V<~Jd`&vg@RS+_cya!sXW
zF-b&&x}Bj9Qj<d%Npucuqc|p&`lFKzaYSa;JWoB*Nu~w(R(9ph!O7U%FAX##yyMf(
zXV0r*eP2#ur}m<5Ioe2awv<{^e5;N*q4l@O92@u5kDRadJuips5=uv_Sxhevoz>n`
zAYkA>ix({fc2<rU7r{eyQf1-Va;q&vA<C)sD1Bw9>lGDZDSlA+x5_G_!seGS&3}3b
zvOOz2(zU_v>r=KrZA+bNHAbCIHIrAX&{#asayv8VBFZZfgJ(IW5L~t36^=!@At4Mw
z@#Um6KY5C{HK;@RnjU5iLYeE1srguY#|7k1XAF=$h(X$7i`zC0X?s~%m2&8eyf6$D
z9mu^GLCBk!jQk2)G8JO`mWqcBA=6esUq0Yh1+#b?6wZc~CId#Agwq2T!9FgIsm8`W
zSIkvZ)OF~QMVAfHxO{7l0HU=T{)rkYR@2vbRjU+uGCm}~!8zl{K&tw10S2Zbl4>mH
z%i>GpSxKEA5$m0e*hmSUCNIi5rSL;x);VfqB~mu2?X=V%(8&aJG69{;|F50Qe@G2_
zm44xqhs!>cAyN-LG{535Po~!2)D&LD{!qBfE0xgeA9x*yD7fJlHqj>h$>h@J_$AOi
zka`|GTcAzqc6MWO>>Tt*6k#I92;-B3s}0lYQQ!e)Zq#z%tn<)QpBF8pJrE>s*u3qd
z7gh(I`}B}+VkPk-)>ofEX%515z0?nh%rRg5iV}D)c!0do$4vJM;qk`(S@2V`(lXRA
znIS+xk@nf^WGg@V%&+)d&7{8@1knR;BoIk*`4)ErYq9ie81knD>a!o-BI?9DHTX*Z
zeAigu$58dq%Y7jnJGL{~XA*f@V`|Yp;~y!}paFl8lPY>KzqqE$8e|DG+ST@xXBil0
z8xozCp@0cRwW015gscb2j3O5@Rr@YiP-~4oPkyw(jM#qIeFEOIcE+sfD)$5DSt5)m
zI_Y$sdd!6Ep65hH39cVGM5qXf`vJT?HJLwEJ(iNMf`uSV0*J`_S*IqpP4)k@csJA?
zIbwv2*XP!}ORHRg-#qK(Qe)Rvld*XBP`rqP_9hz>zE-r9t;(Xv*H>lN2X$JRM!tOZ
zFKPm}Gsn!z-WSf)?(yZIbw+S<$`6w(m4h;qtZp<1vn)+xz3Q7)!lx+-iOEp$caiiA
zR43a^<Lm7z(>62m3XiQZV;WX~hC90o%WTq(L5X>Gn}?!=wlaWxDv8QDAR!V~e^kDi
zE4P3!&>hnA*?E&eBtclfO0t?qXiAssWp|a>dIxELvW-OdrM61zoR3?n@_qGa%P9v4
zw_fxa@E!#PH+!yLm08%|h4tnXU57DajR6Z$bsSr|YqV~1cd=WO$j153`OfMfwVD@d
zH^vpaZ@dfJB*}UAYGb0Kw5~#mT3CuZ3jT&F?(XgJkL6|<h|pLVbU(3$9l(egp;ky~
zOyy-VtC08=RV1mIx2JJM0eQ#|`Apjj5noz!*OeencR(a8)MCjLi&ytiSq)~#Db<k(
zU%Y-#J1a|mBu12261NOGd^ol-N|us2EYOx_Cl}1o4`m6(R`7m^=12^iI`vA86Qqcj
zj+>>idYpwzLecX7od5stuCxFE0002~_xBHbvIIrb<^8xG8lv!V=BAA~kOk-Np1*st
z+Q|ANC%h>x6}`L(nrd|{;7m_p{0dY8MieLU#%|JL7I7AYYlBk6E^i>9P`v_c|4U&@
z&u7+^bG19D5bO_KD_KRv>(?Z*mkP60fkr5{+uzD#uO2gWS|@o9Kp=uCceF4vnqdqZ
z6eJzLwBl9#HdRI@z3f+(!VqhTEd9uq)pBCjcw)$$yKEi&8l2V|qUakS;|v6?=7$@M
z341AMhxCQAFO^I|$j`OwUZeP-4e*ien+494jN{3o6$B#>Mjg@p5JqMgcTKBxUxH(P
zJKEU!m5li&^>5jY{_YJVn1?Y6?er@)fpsbJ`O)orW{UcaqiJT%wBB7OV|U94-zJ+I
z{4AkQN@8qDl!598b=i1|T=jZK4d?_S2znLluBm+OhZ!`Pk5x|=I{7QGeKQcB{33pJ
zT$5LRE8Q>y2<+~_cA1T=NwWWQimRL7wcXe;+SU-8i@SoLwtnrIGx6Yawh}SHYF`~4
zeI_pl*2TCn<_+Iz0F0!3pl8@lzX+Gjb<k_HQ%=RrR1Opg38=s)SR>~qdz|7~g#L)$
z3D8;GkrwTu5DiD2U^Er<_e)W(hzb`A{v7O&m~_^36E-(%@eSP_QcAj#d_Abfo1z?C
z?U#bv@mK$oPPX1r{1CtQkb<`r)HD*zVT2jG63Lxl+DNOgA1YRTuj`w^0;35J9laq~
z)hBLkWx;c7<-w4XVV&PqZD9NNwPFhk6`A(`tiY(_8${Kqm%lwD^p~R$ZFX?Or^E<{
z*6P96YcJ-gL+z6*k46l^qcfRIF<gLqo(E3qm6DxQPJtVn$UYf9r%aZKtD4wJLQCE$
z0%rzi<A=2<r*C7YblWj>j+A%EBs5kKM4dW&NLF8XSHqs?!#{9s@zyITaHWme9W}dX
ze{n*k<VS^K5KaDAr~(5$UKC^NWmXD+NZKmgbH%7ucXZ&5eZaa-`h=V(ywm3z3aleY
z!tC&smJDD|elh5>ezaW}Qid|6X*gA-C8O!d3!W6kq0j*8WpPlrI{Syz(E4CLB|)(q
zH6=TIwIhJAsUs~;|4ogj`S!^gA#`IgoI8b4{n};JByY+h`C^TUd02GX!O+|k(x;GE
zhhQO!iQlATxziS^1f272Cl!vtppUN}cspWo@zgQ)&?CW=QV~n+Od07jI2?Wgi9%@i
zw+$dHVp=v#T$U4BQAdQZZeq~wN3IW#$ICoyEh$N+_>+sLAC=BWiNEHgqjYU3zfnvx
z>k2a;yv~0*v}c24+h1%+ROo6NoF&ptU2Ye|L>s4H!u{k)Qi&$J{<xnKWBLW!O#6pb
za|Ut!kC9dv*%GGuKBOvicWMthP}n3KL)VOVmOIUqgkAnEhf(6hYM6jRtz(~gQ&c)}
zN8uS^iLv?_?i4kU-jDBkF-?PGOM1WkQ0i`fYth|2Pe0+gZKYaB2^*V)4}LSUJe2Gc
zk&1u8fs6?!PNsH^_deL%RbOC(zRykGS)n_b#+UF>Zv=L!#xqfwsVYGPmu{rRf_%q*
z!XxuzcpVrn4eWZ>rnyOL(B%RDp(~=&jA76<j8UgW01WZOow2jEsEyVI;#e8^s7FNr
zPmgcg%H`19A9+-AyC&_XJ?6oJ>t}|kC2(&vpAKR^B9mZ*G-k_1X+FuO-D0YBRyh{c
z6I@WX%Cnn_o??F7raOmS)zY4OC(A|8KaEU~){GQ1qi1trInH=)dO5SpoLsMgAkzY)
zXDLqb>*p{ArUHM`U3)^5@<Z^z4SVMBnN?kc;?qOSb>=B7R!HzY9Zf=aR*1W_)3hh<
zZbq>1eySyU(1oINT<7j?U}eb(@#|H4XG0<E@2<4{^f0H@-tCm!nStXVabgN{g+QQy
z4;9B4FOP*b64O=Dd@FrE^`-t4L63Tq#dLqc1cG7_vEiq#t-$dk{K_01MRbWwpmd78
zbn41axE5P3NpyCZWr7`neR1pzUd{qe=Zy{hQAux1wRZ|cx_d^yqjBj3b1S7A4{U5+
z`oT7`Qs{?ZlEQTnJ$>v}WbX{zv<Iw5N*hg?64pyzJxEGD$n?&sz_yRmgV)2d1qm2e
zO!)*j$bU!;&hp&YvDmW3$(>M#RHgKACC`f9-_-aQL@&?Rr)1PEiTWU&ommK<RobMp
zf-1V_(%3W1L7v>29AJkriR0d4`+R#q>{hm4H;d2;;q<Ugu@hG)q%`-ryJwC`R<cW5
zBX`mNsU1c-mBk;$y{#GV)5vGLQ8u7$4=ZvTTh^t)Fczdx2kCFGLL*g7RVz*3Q9s%<
zAgvJ<Owku_2kLR?=TnD6(vP9rip1kc<p-o0#hmq19Jcd!k;PUpXOu*n7ZTGN;cc<-
z$n3AroD>1D71cAu&!3X=--ciqqW6b6$n>i`)(5D6Unn?&!h4hmic!W9KK`i_cKPkB
zO>y|`P$I6eqSkd;OR^H>qeu5%^*AC`5T`Q_NH_4!$O9vuw<|`egY&cWKFrz40{tZ*
zsC@pOiuHUry7ZX;US06l!Hgj}P@$l4+si%9g(R$aK=(7FT6Y^YU#?GGVjcmAh_?A)
zh4%_5&5vr+B+93Z2X4uyf!Rer=5R$heaB(Uj7PiON02FdqpIl$Ibo66=lCU=oj?l=
zV&oUAj){bc17O^64cZ0fT$*w$*7j^1)L%uw*>jbj$!Dhsg+HPTr~1Q#g!u5iKhU4X
zLP^ju7PN0FY;eu{VrWHW=z$57NNS7KI$Rm$8F~-79rORVNv+F&j~S_`J6|RCrr?rn
zKb|PXEocr!<Y!s9WPlsB$?j5+-^L6m-}td;y#b#>d+`UqffHKTE8@-9KgOfK{TQSC
zTCj7|_dd}RtfUStZ+P5-zaJ7)9O+qo_Bj2AbL49Hi+@G)0nYd<y8Na&Vx|_ls~``@
z_mK+dm1bC2hG2uzPvGD9x0d3;MZV0sNg@<aXMcju;J~$fNU`#l(wcCTW!!Q&ZZ0V`
zQa7vLNnhqB&RsAskFPLm;bLr%Bs+lZZP*xqH>FpS{9U$`!`@0G#J5`wQtK?mR(0fn
zjl|&4v2X~Y%LyC(4p->on@V~T*SkUtQ=FP*WM2Nn55?X~yjcxiu0gEwGWbat4{U86
zjmDiW$Om>t+fKM>!GB(n^zMEcX#whg00000fd6{`uqV^{ifXTA^Koe#Xx5e;jn7KO
zF~0x1CyVquq!-Z?xt`Fu<|tF{dq=V*&J21I2t_m-nRx+G>kJ^&;tVu~s9cXW$-&9c
znL5uFvor8pkQF4|175h8@xm^n?0|JU77Z2$3*0>d;-jUSr#*D9X^FNN0Y<tzdlMOQ
z;Zfa`ARqS*9+3i{4}5VfgyT(#aH03EFsx%@9mYWZ;9zSh&idS_PyUWduzQmMr6-=G
z)gakUuh$dSG<Pvkf}g{s<`5U2yzqic=2mq*JRI_Jy=AyMYa;iB1SEx8qa{Ww(KKCy
z{pTAr#zh_T{a{zBL&_3Mn0sh7!B9#Yp8@H7{a`rFw+plgS_0fO-j*tq)PA2d-0WWP
z^C}0F>IOp=jFVQLg^8z!oNgMp=%u~(Sc5EuzQh90wnJ8Ory2tVsb8re#t@E=I<BFP
zzALluU>FZF_Nn)>?UTyvC*{?B?Mn+rI^?DsXd?}Xs<>FrmC>}>oGj8w27cf__O-IU
zt`F|bmB)3t@>%ZTu$%iv1=ATrD|6U4r7xF=7@1wfSvWHTo=bpj=ddVTIk3opTI@}=
zGr>}z;gYuG3n@cXP+{S7n#Yr}BqRNKv=l0>thG7wm(Gnp7FZcl=#=og7h^In71!HU
z95df9gyVL9c9%E^p~+1OQsUGFXnF=X0soS-0vfDf`RQ+OwWmELKKA&e)9l0R^Fur-
z_OXO1S);Jkt&g&taE?X)`arM3TfIPd&ScfYkRA`3dU@Sy|CyBXhkqHmxK71ycCd&!
zI5l!-{g^9tkhc(f!|icy_w(P&8v-H)zG@^QGoyUwBxC)A&DQG5D)MzXWQ&7yJ|@b)
zyiT_QbDMl+6;|&H@YE+NAIYWE5qe|#->$as12V9i3c!KFEv`ie2$mD1I57L`Ko02P
zVhN+D?+Yb5f;xt*&>&t!VT(ea5aiHXLyqFVN6*bM&9{X<_j%ZzQj9avmLx&6z9cgw
zShLaOzz8?giyym5x!~cV(yf{Gs6^D4XziI2-Q7zUe4|#?rb`hdpCe{i)A0YNN#-kO
z*O|<~7q@reaiZHQnzi&jZ1#UsL&~r_3Iwr)DwXuFUHCU86sTxKT#eik{@V3L^L6cg
z{kcmcm#~d-<JUhZd&E0Hea}8OU<+mQ^L!s%ukK(>R<ISmN1IiDj9jCB;Ajz~@(cdp
zSg<yIJ*;mGd7ajB=ODy6AgH-)X&vBW%6VEL0%p~L;-}xX9m_r(r`qo93G*4hi+>R-
zka|EKZ}ruC+bSK8*ghmAQ_~T1j!h{P;1e$w3)uSk1kH9YM^K5;4&{tr{a!xvHV#3-
zQ@W;Wgq4u63_9v=l-tE@YVQ0%R@B*C76_K0XsC_b_-BdFC&y_{ZndsuY~2?V9Q^X@
zIb8#@?HK6XRf$<eAeJ_d5MkQ2{4Vme9P)Z?yVke80v3dxqGt^5OMGK9F0nWJiRgHp
z=d+XxxWr-=RpNX2sV6~!-2pNNdH_FJ%|ki2<EtM;L2JQN*Y^2QMwq;};06?{>)EKN
z6MwT;(%PlT_<<t=AqH=A^Zn5Jc<#@T^S6Z$RG>C2vn?tSH*LCuEA%z6=|<<likk9+
z6())CCzn&x4s8wh_KzqK+(!6U-VX<19iKm{tbc|(`nae-Gu-sI^gH{;E4VAz1=t3s
zSqhFN7p7qv`+Z`*!N2GxU$aV|-92L+J?j}1QAtI?!~qvhzUKbu@B&j2bYg%}D|Qi~
zXYzFF7v4xOW|z(4#QLHE%Uam^k*4E76;^E~m$A1yHG@jrfoSb3DRvQ<0N+$+_943z
zPcT859w>b{>UWddG(ANzmdBdBy_eeLY`?hQs@!<4F3>+DxA&8YmopeV3;Ld)+z25w
z0Mv2c<XK&s0;qe4YSh2rv&#`)mOOI;%tHJo=*wZ+c)%TF$cz4_IA_s69t^?Jx?}tV
z7_Zz7R^5A%C@F9sgytpA&v(Z;!gx;3%EQ8V__HHvx&Er;b7;$bpNKTtJ8E{DtYnK^
z;=nf{swl<bDPOlUQvki-Ee=k)+$4Q+8C#e1m&T~013w1HXvnZRe{qx_WeVLHdL3vD
zM|r_8E`gk;vc}Foq~^Ecm$R!aEqB6j@Wwz8*D8w(N8;bqFpSJJ5~6E=lgvbq%;RfQ
zEMhz4)1%wTuAZ?|$0Fomf391#82$VnX#B{FKW=aS-fM|B>fixSAcpxxGmZZVnp%|F
zMKCL2*=>~7!r1b2Du-uL87jub0p$u3HeT9ZQ?8N10S<R4w7V62=O)rFM>&RtuH5ci
z;Owf5r98Bz5}P@mw<BFBDq%y8U?(=Fmm2wpHS)pG1`kFWV>1GKM?Nb^x7&`a;yg*s
z`<#6-{;-t2T6^^!hfcqZE~W_o5o6?SfSZpcxID<lXLzZ{37CmWnOpBrT@SnG*20uD
z96}$$@+J|K!#Enb`Y!vb(<M8|F9^zMxKS1#>LRIE!N$)mspcGmllKU@B8+Q+KjyF+
zzL(N9zzd+HcljU2Lwd3l?Z?t%;10^nQb?SgXq;GnN(vEyw@M5tr@dPp-GZ!?Xu2mM
z!a_DqUQRkkZ%bKstYS6z+p&AN9KJ4UfuwDdlFhgqd}nEA-0A%|e44%Cd5}-=x-nM9
zLHz`C4@Ng|o*2cED)TE+gh7Z}e0m&`F9IgGuCXF9tT>3zaCugRi;Xz9(+6|AoHU4y
zz$9*B=+t$aDJrUZL;J&|w{Y}ai=<G?zHrzo>b9CMo#{IiYJVQfwcv4oE_nMSWOpr;
z;3FksqabyhqJHx=MJbf3YB`NFyCZcUJkHS^*zy>C)UdWd!1&GS^`816vq8q!Uer<j
zL4fiRx`z>rl${nkvqD(W_|Bq*b4QUb=n*uAzK|{jx{<vAg>D{M7Mayp<-BuL>}kq(
zLmq!P<{ECQj0x^~Br@0#9R@znRE09Yf?c0#isOqo_Z@1<<r@e4&3+2i%e=U;83r#S
zM9R?nqfnO-eIkpa8|N6mNRg<iHT0_MwYMXop%X$;@K${Sl7WP(%Q-I<@9@HwFX0=%
z?o7dP^A!6hav837t6IbQF~{<&EjQDg{a#}Ydx7liD{`MDileZcEKmQFotCl()7n!4
z;%~~DC>d*a&4MYvvNQ~y5;#Ro%giS&FlPv$7sO}8Q^ZC@7DOL7D>xs(96$g700000
z00000fd3}{bwf4CCSb$7zZbBM9fWb(;E7q(?ib^AeoQ%pmV*yxNz~2I+Slk8ebw4=
zz~iC^CTo^Y=goQnUsE1ZzJ7J*)RgVdeKFtSc&`>OqqB0Q%lC!CFMao1b<OAA4A12a
zfQ4?ZFe3U64Q0gw-#NH@3+_r@Folz3LnhDV%}oILLoYw(&U9&by}v#{6yXTC$Fzbm
zk)S4<ljujUu?!>?7jjxVSWZtZlRy*Vam8Rikmr|dJEaA)<gd9eG29xN?d6CT4|vP1
z)o)fR)v!H_+Blb>Z_7NJo-6m?i}!+nGj{dZz$2w8e(!n?L`D?qo13|E>|fB)1GVA-
z4X@M>=(>u<E^<FKLK0av`IcgWBml>Ak6e~tjx78RG=2j=pyk(&bm6`^CH9ibszLnR
zJwnFP?8b;zRYJ`j(4+2tOV%i5)Ai>J@3<vC{q|!jeO~FBCS#7{(?ciq=dEfIIb%}t
zHJV=Rg17m!m`t|OX_aO7fZei^IzRK=1!;MdDAF;+{OB_^6l_G0+MH(#?r>B}N(b}B
zP8CF}>FHuL*~&r{{Xl87Dt)K0G~r>a3RIEhBUz_e8p+<!9CKe1&8@-w9u4qZy%|o|
z5Ef3p%3W}^SSq_^-&%pdcZb6@)C}j~<RE!;DY$TX)eutSi0=W*iUpkHTHB;Oz7on?
zG|^IOxbd-g_{HCLO<|>olwbT!vgsMFI!O@<(5KuETuiH$qdyRFE+BegJrovC=QUP^
zP?AeZ5@oAO1blf<EKAB_e^I{=r#{4Ux8KuWd9Y)-150@w)Od=sM|Q_Ua>`*V`czKg
zHV@alL9{K3@Rz-%yx*`j-2H^{u~#fMvg0MCH<I~=53!7oCoV{bOcNP=LHPq-f3e&y
zq180Gb~=M-cLmm`d_JQMAxb49A%fy4#H+(T;3>^U?j=vjoErB_U3aH}FkR<kACwt0
z*QyMoz=rT!oJZ2|)dm9?Wv)wM3uaU8es~U_M9tH|kS-`1Fat9=N(I!X1kPnUTV%K+
z?6Xg-0nq<BLREJ<#LPmqz7An`fjn86!8W?~_RiLJ2Gsf{hWh59%7%9Krq)(~{yzW!
z006*$J;2lqz|;)D)C|DX48YV3z|@R?<J62}a%{Qt#vjyX+b*}G=QJYZdp+KNQ=?-9
zlG~R?E5?(WZyx)mHER*hBedv7lDH!q018``o!=wTzZos8ngKmQ80rObA|I1!+g$1U
z$)H03qg|il@tn};m0LdHOAz4U6Rhm#(!YEzyxXM)k2gWM9snYg%6C7=#Vt_y+F&0R
zq#T-xMd;6238%|T2Apu6Rn!b;Yf%%tjl=2}37Kfe1>I7S*Syw+c=8J;N0Pp&<OD@h
zAq$bgXKP_Rv}0E)vX#a6N~*VNm~5>P79)rD@PD*-r~gba0075FBsV!C3W;(vOTv_E
zm>fAGwGa=>O{SPRp3pIkhA>x-jFn@wXT}_1lp{A;QO=m=Y83PEym?+f@1M_S-~ZzG
z>Zj{2@*;_+ayR%>AGA#79;wYooh%Rf!IWckQIww@e2PFBj5KEle$}*HxdyHejlA%7
zRm!DB53KJXdf%v=!mFU9|2ZbvZu?w{d3N{!3-Gl;z1gkaAZN%xh$g9!>nnlEO>js$
zEtU98Br1_{908@iy~{eUNBN0TmCpjwQ92jgG`r7iKycbchszRA-ZT?285>l-Y*Fdw
z68Dz52s+V+*LBLtSWwRu?V<XqnvOH;CZfNjQC7FUeY`=AR&zF>&bvS?%Vt@mbFa+u
zSXZJYQ_}m^ZYwg#7UJSnN&WeSuBuXo%e$$)U`1U+cW3Ti@5cOfpz_`n5%7{F0Ji1(
zPGUta(e>)9<>9cUq*7JVDpd&w(sDs2s;9Wzpiohn@~<#e`+2T(Mm%=1qU{v+q!xF+
zIU#~4L<M1DQ(HGtn(xlWX`uc>`Y+q~`l*UQAG3P|+uoaFORJ!#gN_RZMNT{@#xw@$
z4enyv+v~h|-|PXl<AN0DhHSF*l+jLEen{s<>|tJh&ke&NqQGQ#xkpG~8Z&d>XXVMJ
z4p7)iom@MtBFEiS;61V_x>puHiifTw{W{Bd?N3EkABNPv`%S<u&CHpa-IVG;Xt86B
zy&7A(X`?SE0wR^{l4idQ0kuQAu(j=B(XM6-+A<BR!5<)j$qSA{GWs`fU&PxFO6tzU
zW**Zk_rKfUO^UM2{9#m>R}dqc7;iRfx0ZTFb4Yix(jiPx2rQO>(!dFSq%YP@x~=yx
zkhEbiN}u!p<KW=n;Nalk;Nal+|M`#p_oDY#r^L+5?awV)DqWu4I(;iL`QQHEDfEay
zH@o|1eJ@4f96(IvDoS(0$TVAqd*A?V%o7m+31oMrT!O~gC5(5K)vgjx2iB{=*p{Ew
ztV?<X$9HtWdY<!??CPuOk2j21eU%eHB$8i>kXLLfd*Vo^02u<Z1xKsE;&H%}GS?9+
z3joXVnFK3f$((^-QB;6Ku9o%-T8qiZSRj#kF?&aOtk8r>s8KArgUC8a|Gj>`V#M*>
zg1^XKM_q|+d@*EM$Z0n=0T)J1sDbl#<cL0XPNCX+;`sZsG|QUU9Y>U_mJxrRZyoiZ
zEm;UKivv(%yOUe^g>OjwQ%?d-R~)@BDckypJ4<%7h7V*drsxgVnDKf)-Wtv*5<!E~
zG16$^crkm?STp!gck3gCJ4O%s3#4GL2x`J(#c7n1xHS{ml=-GA+I#BRelMk5<LUc9
zpnk}UTte1ixec`X(MtjHj+g2lDmYQs^Q6^S*6_;~ve*!OS~0(82Ih5P{<J60-=;-g
zZH+!vbW?R)2U>9}h$%qTV4OmQ06zss-NqwJR$X~@j8qndhJ$7US{PETpf_nXu}+hk
zJk3Wxreac!x-=h(*SY&;9V4e8NQCV<zCLyYOo(AIVl#iwmdmiB5MG5?0yYe|?a+<~
z@UMLt58Zz}7S{wb@TG599K>JUT`QUu@IBf~vo^;7zo=VY$gr)Tq9ZzwbT@Wt#hHCR
z*z4S*#(Y3WGF$q{@IzI4Xr&8sdkH^BFt)e#p6WO$cEzgpT@b>Q_(ujmU@8XO$8@->
zq~lN8Br24jAc__Gqu@*{*36h4tjTjZ{BXetHAwoYuhQ$I6z;Mm262=T-c)}Maupj6
zA8>j$n{%Q?p!5`gtQA8vj2_%=5~)D&4=P3)*NiYe5Ix$V(<S<0zl{tVlVj#}1Zv1`
ze!y8np;BlN2tT=cO=&yWeTK`Sp?#)6?iZr^!Q$&=ipbk3-zZXU9AB6<0FubY^Tz_D
fCDLPGw&!DDp=&o;d5t-g$#%-4@2eI(w1IyBXUd@=
index 357c00a748f8ba04d5aeaac0242179b20e8d2ff4..5ee98aff22e6b7000888c8b7d660f6d8a7a77841
GIT binary patch
literal 452
zc$_n6Vmx5b#HhJ|nTe5!iIrjAgk{MFylk9WZ60mkc^Mg5Ss4r@48;sY*qB3En1y-$
zOEOZ66iQNyOB9?P4dldm4NVM;42_M9jSP&9qQrSkkhyqtHqJ-3g^`tkxv`hQps|yw
zv612GvFewF+(*SGoYW1Tv2CWkN!A*#fWBqkF^e8Yzt>`a=E(j-{}9{cl^Z|rpW<oo
zRK?Y0XRgUa`OSaVu4gH-_Srj?cln(!`j`AQpL?iGT`}nf^NDAt@1D|_G53Vi?pZ~F
z?N&!PaycxP{COr)s>(g{{4ZUZwh;N*a`U2Zy_hGbrnQranUR5UG0^1(LO{363NteP
zXW=kl15!+kjA((w40Nx`3O-HN$+o7QA5+3P#1s;Ru7-RuRM;_j=GOeZ(%0T{tX=c+
z?lF}UyAGvq<3D=qSpL4RkDqoY|2ECiefr|D$@&{#MGYdgo)|IzOuO*$=h_vAU$gvi
zn^c~caD2)XlceKYj%i2KhRu2L==s$6wr_PJwXV!T8?w*ZW<TxCIX0csHp2q|TqmnQ
index 080be8ed53e6bf1cd3f248c9d67e083275088c01..533c0b5ce9e364512ed1037c1b46ee4674daa736
GIT binary patch
literal 440
zc$_n6V%%cT#3;LfnTe5!iIrjAgk{MFylk9WZ60mkc^Mg5Ss4t33<V7M*qB3En1$Ix
zQj1FzoE;71#CZ)(42%qojf{;9jE$nic}<YHSoJi{M>d&}m4Ugjm%*U1lc}+hVg11$
zt0q0W_sGsMTJ%t<?(Zt=_#JzX9lgBZT6&S9cjLo57mW0Bk4##BAipfc@rj<q=GQqV
z-LhJq_+OAPj*c^5?t5Ou;9k{a4#OpBnP-k|EpeIr#%k`&IhB$Pb&e0c-?b^}Trjx4
z!Y`kj$5x=eR(lrjxm!;+Tn~MJ{8jbQi?+4KOw5c7jElt#L=1$0u9g*MWc<&<VZa8Y
zm>3z+0)!dpUN6-jsT-a!>rCgH%3gGHLBOAWtwS1<-WiniTg*;+%sPGk4b|HoD_8Tf
zoK>pooN#*Cnc0DcKWh~kd_P=Uq1|vzYF+sC^;TaG+n64D9e$_RVZl1}lvT1(dv42I
tX~|a9jFrnO_%fwA*SN#KZvWo332SS0_2<03xA@ck^&94f%Nj3t1^`m;rilOm